AuthorTopic: OpenSSL 0.9.8k Update Available (Read 2629 times)

An update to OpenSSL 0.9.8k has been added to our downloads. This package works with all our current Apache packages.

Changes between 0.9.8j and 0.9.8k [25 Mar 2009]

*) Don't set val to NULL when freeing up structures, it is freed up by underlying code. If sizeof(void *) > sizeof(long) this can result in zeroing past the valid field. (CVE-2009-0789) [Paolo Ganci]

*) Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. (CVE-2009-0591) [Ivan Nestlerode]

*) Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. (CVE-2009-0590) [Steve Henson]

*) Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level. [Steve Henson]

*) Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures. [Steve Henson]

*) Improve efficiency of mem_gets: don't search whole buffer each time for a '\n' [Jeremy Shapiro]